http://hg.code.sf.net/p/graphicsmagick/code/rev/358608a46f0a
http://www.openwall.com/lists/oss-security/2017/09/22/2

Some changes were made to make the patch apply.

Notably, the DestroyJNG() function in the upstream diff has been replaced by
its equivalent, a series of calls to MagickFreeMemory(), DestroyImageInfo(),
and DestroyImage(). See
http://hg.code.sf.net/p/graphicsmagick/code/rev/d445af60a8d5.

# HG changeset patch
# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
# Date 1504014487 14400
# Node ID 358608a46f0a9c55e9bb8b37d09bf1ac9bc87f06
# Parent  38c362f0ae5e7a914c3fe822284c6953f8e6eee2
Fix Issue 439

diff -ru a/coders/png.c b/coders/png.c
--- a/coders/png.c	1969-12-31 19:00:00.000000000 -0500
+++ b/coders/png.c	2017-09-30 08:20:16.218944991 -0400
@@ -1176,15 +1176,15 @@
   /* allocate space */
   if (length == 0)
     {
-      (void) ThrowException2(&image->exception,CoderWarning,
-                             "invalid profile length",(char *) NULL);
+      (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+          "invalid profile length");
       return (MagickFail);
     }
   info=MagickAllocateMemory(unsigned char *,length);
   if (info == (unsigned char *) NULL)
     {
-      (void) ThrowException2(&image->exception,CoderWarning,
-                             "unable to copy profile",(char *) NULL);
+      (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+          "Unable to copy profile");
       return (MagickFail);
     }
   /* copy profile, skipping white space and column 1 "=" signs */
@@ -1197,8 +1197,8 @@
           if (*sp == '\0')
             {
               MagickFreeMemory(info);
-              (void) ThrowException2(&image->exception,CoderWarning,
-                                     "ran out of profile data",(char *) NULL);
+              (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                  "ran out of profile data");
               return (MagickFail);
             }
           sp++;
@@ -1234,8 +1234,9 @@
   if(SetImageProfile(image,profile_name,info,length) == MagickFail)
     {
       MagickFreeMemory(info);
-      (void) ThrowException(&image->exception,ResourceLimitError,
-                            MemoryAllocationFailed,"unable to copy profile");
+      (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+           "unable to copy profile");
+      return MagickFail;
     }
   MagickFreeMemory(info);
   return MagickTrue;
@@ -3285,7 +3286,6 @@
               if (status == MagickFalse)
                 {
                   DestroyJNGInfo(color_image_info,alpha_image_info);
-                  DestroyImage(alpha_image);
                   (void) LogMagickEvent(CoderEvent,GetMagickModule(),
                       "    could not allocate alpha_image blob");
                   return ((Image *)NULL);
@@ -3534,7 +3534,7 @@
       CloseBlob(color_image);
       if (logging)
         (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-                              "    Reading jng_image from color_blob.");
+            "    Reading jng_image from color_blob.");

       FormatString(color_image_info->filename,"%.1024s",color_image->filename);

@@ -3558,13 +3558,18 @@

       if (logging)
         (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-                              "    Copying jng_image pixels to main image.");
+            "    Copying jng_image pixels to main image.");
       image->rows=jng_height;
       image->columns=jng_width;
       length=image->columns*sizeof(PixelPacket);
+      if ((jng_height == 0 || jng_width == 0) && logging)
+        (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+            "    jng_width=%lu jng_height=%lu",
+            (unsigned long)jng_width,(unsigned long)jng_height);
       for (y=0; y < (long) image->rows; y++)
         {
-          s=AcquireImagePixels(jng_image,0,y,image->columns,1,&image->exception);
+          s=AcquireImagePixels(jng_image,0,y,image->columns,1,
+             &image->exception);
           q=SetImagePixels(image,0,y,image->columns,1);
           (void) memcpy(q,s,length);
           if (!SyncImagePixels(image))
@@ -3589,45 +3594,79 @@
               CloseBlob(alpha_image);
               if (logging)
                 (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-                                      "    Reading opacity from alpha_blob.");
+                     "    Reading opacity from alpha_blob.");

               FormatString(alpha_image_info->filename,"%.1024s",
                            alpha_image->filename);

               jng_image=ReadImage(alpha_image_info,exception);

-              for (y=0; y < (long) image->rows; y++)
+              if (jng_image == (Image *)NULL)
                 {
-                  s=AcquireImagePixels(jng_image,0,y,image->columns,1,
-                                       &image->exception);
-                  if (image->matte)
-                    {
-                      q=SetImagePixels(image,0,y,image->columns,1);
-                      for (x=(long) image->columns; x > 0; x--,q++,s++)
-                        q->opacity=(Quantum) MaxRGB-s->red;
-                    }
-                  else
+                  (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                       "    jng_image is NULL.");
+                  if (color_image_info)
+                    DestroyImageInfo(color_image_info);
+                  if (alpha_image_info)
+                    DestroyImageInfo(alpha_image_info);
+                  if (color_image)
+                    DestroyImage(color_image);
+                  if (alpha_image)
+                    DestroyImage(alpha_image);
+                }
+              else
+                {
+
+                  if (logging)
                     {
-                      q=SetImagePixels(image,0,y,image->columns,1);
-                      for (x=(long) image->columns; x > 0; x--,q++,s++)
-                        {
-                          q->opacity=(Quantum) MaxRGB-s->red;
-                          if (q->opacity != OpaqueOpacity)
-                            image->matte=MagickTrue;
-                        }
+                      (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                          "    Read jng_image.");
+                      (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                          "      jng_image->width=%lu, jng_image->height=%lu",
+                          (unsigned long)jng_width,(unsigned long)jng_height);
+                      (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                          "      image->rows=%lu, image->columns=%lu",
+                         (unsigned long)image->rows,
+                         (unsigned long)image->columns);
                     }
-                  if (!SyncImagePixels(image))
-                    break;
-                }
-              (void) LiberateUniqueFileResource(alpha_image->filename);
-              DestroyImage(alpha_image);
-              alpha_image = (Image *)NULL;
-              DestroyImageInfo(alpha_image_info);
-              alpha_image_info = (ImageInfo *)NULL;
-              (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-                  " Destroy the JNG image");
-              DestroyImage(jng_image);
-              jng_image = (Image *)NULL;
+
+                  for (y=0; y < (long) image->rows; y++)
+                   {
+                     s=AcquireImagePixels(jng_image,0,y,image->columns,1,
+                                          &image->exception);
+                     if (image->matte)
+                       {
+                         q=SetImagePixels(image,0,y,image->columns,1);
+                         for (x=(long) image->columns; x > 0; x--,q++,s++)
+                           q->opacity=(Quantum) MaxRGB-s->red;
+                       }
+                     else
+                       {
+                         q=SetImagePixels(image,0,y,image->columns,1);
+                         for (x=(long) image->columns; x > 0; x--,q++,s++)
+                           {
+                             q->opacity=(Quantum) MaxRGB-s->red;
+                             if (q->opacity != OpaqueOpacity)
+                               image->matte=MagickTrue;
+                           }
+                       }
+                     if (!SyncImagePixels(image))
+                       break;
+                   }
+                 (void) LiberateUniqueFileResource(alpha_image->filename);
+                 if (color_image_info)
+                   DestroyImageInfo(color_image_info);
+                 if (alpha_image_info)
+                   DestroyImageInfo(alpha_image_info);
+                 if (color_image)
+                   DestroyImage(color_image);
+                 if (alpha_image)
+                   DestroyImage(alpha_image);
+                 (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                     " Destroy the JNG image");
+                 DestroyImage(jng_image);
+                 jng_image = (Image *)NULL;
+               }
             }
         }
